Snort mailing list archives
Possible bug in event queue processing - Would really appreciate some insight
From: Peter Politopoulos <ppolitop () gmail com>
Date: Sun, 15 May 2011 15:02:02 +0300
Greetings, I would like to report a strange behavior which may or may not be a bug. What matters most at the moment for my snort development is whether this behavior is consistent or not. Suppose we run Snort with only 2 rules: ------------ stats icmp $HOME_NET any <> $EXTERNAL_NET any (msg:"ICMP"; sid:1000003; rev:1; priority:1;) stats ip $HOME_NET any <> $EXTERNAL_NET any (msg:"ALL"; sid:1000004; rev:1; priority:4;) ------------ where stats is defined as: ------------ ruletype stats { type alert output alert_csv: stdout msg,dgmlen output log_null } ------------ ...and event queue is configured like this: ------------ config event_queue: log 1 order_events priority ------------ According to snort manual "priority - The highest priority (1 being the highest) events are ordered first." Well, here is my surprise result - running a ping will produce only an "ALL" match alert. If I give higher priority to "ALL" then it will always produce an "ICMP" match alert - i.e. snort produces 1 alert and this for the _lowest_ priority event match. If I config the queue to log 2 then I get both alerts but again with inverted priority - ALL shows up first and ICMP shows second. Is this a bug, expected behavior or an artifact? Most importantly is this consistent? I am running Snort Version 2.8.5.2 (Build 121) on Debian. Thank you for helping out! Peter ------------------------------------------------------------------------------ Achieve unprecedented app performance and reliability What every C/C++ and Fortran developer should know. Learn how Intel has extended the reach of its next-generation tools to help boost performance applications - inlcuding clusters. http://p.sf.net/sfu/intel-dev2devmay _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- Possible bug in event queue processing - Would really appreciate some insight Peter Politopoulos (May 15)